Web Authorization Protocol (oauth)
----------------------------------

 Charter

 Current Status: Active

 Chairs:
     Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
     Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>

 Security Area Directors:
     Roman Danyliw <rdd@cert.org>
     Benjamin Kaduk <kaduk@mit.edu>

 Security Area Advisor:
     Roman Danyliw <rdd@cert.org>

 Mailing Lists:
     General Discussion: oauth@ietf.org
     To Subscribe:       https://www.ietf.org/mailman/listinfo/oauth
     Archive:            https://mailarchive.ietf.org/arch/browse/oauth/

Description of Working Group:

  The Web Authorization (OAuth) protocol allows a user to grant a
  third-party web site or application access to the user's protected
  resources, without necessarily revealing their long-term credentials,
  or even their identity. For example, a photo-sharing site that
  supports OAuth could allow its users to use a third-party printing web
  site to print their private pictures, without allowing the printing
  site to gain full control of the user's account and without having the
  user share his or her photo-sharing sites' long-term credential with
  the printing site.

  The OAuth 2.0 protocol suite already includes

  * a procedure for enabling a client to register with an authorization
    server,
  * a protocol for obtaining authorization tokens from an authorization
    server with the resource owner's consent, and
  * protocols for presenting these authorization tokens to protected
    resources for access to a resource.

  This protocol suite has been enhanced with functionality for
  interworking with legacy identity infrastructure (such as SAML), token
  revocation, token exchange, dynamic client registration, token
  introspection, a standardized token format with the JSON Web Token, and
  specifications that mitigate security attacks, such as Proof Key for
  Code Exchange.

  The ongoing standardization efforts within the OAuth working group
  focus on increasing interoperability of OAuth deployments and to
  improve security. More specifically, the working group is defining proof
  of possession tokens, developing a discovery mechanism, providing
  guidance for the use of OAuth with native apps, re-introducing
  the device flow used by devices with limited user interfaces, additional
  security enhancements for clients communicating with multiple service
  providers, definition of claims used with JSON Web Tokens, techniques to
  mitigate open redirector attacks, as well as guidance on encoding state
  information.

  For feedback and discussion about our specifications please
  subscribe to our public mailing list at <oauth AT ietf.org>.

  For security related bug reports that relate to our specifications
  please contact <oauth-security-reports AT ietf.org>. If the reported
  bug report turns out to be implementation-specific we will attempt
  to forward it to the appropriate developers.

Goals and Milestones:
  Mar 2021 - Submit 'OAuth 2.0 Pushed Authorization Requests" to IESG
  Jul 2021 - Submit 'OAuth 2.0 Security Best Practice" to IESG
  Jul 2021 - Submit "OAuth 2.1 Authorization Framework" to IESG
  Oct 2021 - Submit "OAuth 2.0 for Browser-Based Apps" to IES
  Jan 2022 - Submit "OAuth 2.0 Proof-of-Posession at the Application Layer" to IESG
  Apr 2022 - Submit "OAuth 2.0 Authorization Server Issue Identifier in Authorization Response" to IESG
  Done     - Submit 'OAuth 2.0 Proof-of-Possession (PoP) Security Architecture' to the IESG
  Done     - Submit 'Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)' to the IESG
  Done     - Submit 'Request by JWS ver.1.0 for OAuth 2.0' to the IESG for consideration as a Proposed Standard
  Done     - Submit 'Authentication Method Reference Values' to the IESG
  Done     - Submit 'OAuth 2.0 for Native Apps' to the IESG
  Done     - Submit 'OAuth 2.0 Authorization Server Discovery Metadata' to the IESG
  Done     - Submit 'OAuth 2.0 Device Flow' to the IESG
  Done     - Submit 'OAuth 2.0 Token Exchange' to the IESG for consideration as a Proposed Standard